Vulnerabilities > Wordpress > Wordpress > 3.7.23

DATE CVE VULNERABILITY TITLE RISK
2020-09-13 CVE-2020-25286 Unspecified vulnerability in Wordpress
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.
network
low complexity
wordpress
5.0
2020-06-12 CVE-2020-4050 Authentication Bypass Using an Alternate Path or Channel vulnerability in multiple products
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved.
network
high complexity
wordpress fedoraproject debian CWE-288
3.1
2020-06-12 CVE-2020-4049 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in multiple products
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page.
network
low complexity
wordpress fedoraproject debian CWE-80
2.4
2020-06-12 CVE-2020-4048 Open Redirect vulnerability in multiple products
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked.
network
low complexity
wordpress fedoraproject debian CWE-601
5.7
2020-06-12 CVE-2020-4047 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in multiple products
In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.
network
low complexity
wordpress fedoraproject debian CWE-80
6.8
2020-06-12 CVE-2020-4046 Cross-site Scripting vulnerability in multiple products
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor.
network
low complexity
wordpress debian fedoraproject CWE-79
5.4
2020-04-30 CVE-2020-11030 Cross-site Scripting vulnerability in multiple products
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor.
3.5
2020-04-30 CVE-2020-11029 Cross-site Scripting vulnerability in multiple products
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks.
network
low complexity
debian wordpress CWE-79
6.1
2020-04-30 CVE-2020-11028 Missing Authentication for Critical Function vulnerability in multiple products
In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions.
4.3
2020-04-30 CVE-2020-11027 Operation on a Resource after Expiration or Release vulnerability in multiple products
In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password.
network
low complexity
debian wordpress CWE-672
8.1